[1999] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Qpop CERT advisory?

daemon@ATHENA.MIT.EDU (Edward Siewick)
Sat Jul 18 06:55:02 1998

From: esiewick@digipro.com (Edward Siewick)
To: linux-security@redhat.com
Date: Fri, 17 Jul 1998 18:05:38 -0400 (EDT)
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com



>Originally it seemed only linux was affected. In the intervening weeks I've
>seen someone post a freeBSD version and yesterday one for SCO (although
>come to think of it that one may not have been qpopper, but whatever pop3
>SCO ships with).

Qpopper is derived from the Berkeley popper.

SCO v3.2r4.2 shipped with a pop3d;
SCO v3.2r5.0 ships with 'popper.'  The CERT thing mentioned:

     Some SCO Operating systems are vulnerable. Patches are currently
     being developed and should be available soon.

We use qpopper on several Linux, SCO, Solaris and HP/UX servers; we just did
them all.


> What I can't believe is how long CERT advisories take to come out these
> days. If I would have waited until I got this one before I patched the one
> box I had that was affected I would have been hacked about 3 times.

I have to wonder about the CERT announcement timing policy.  Anybody know
how they decide when to announce?  At the least, there's a delay of days
while the vendors are contacted with respect to patches and such.  Usually,
Sun has its act together; SCO is "looking into it" or "working on patches"
or some other sort of vague comment.

Edward Siewick
-- 
  ESiewick@DigiPro.com               DigiPro Digital Productions, LLC
  Voice:  703-522-8465                   3100 North Quincy Street
  Fax:    703-522-8417                  Arlington, Virginia  22207

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post